TrustArc Blog

Stanford Studies Remind Us About What’s Under the (Ad Platform) Hood

August 03, 2011

Matthew Shevach
Director, Product Marketing

Over the past two weeks there have been several studies out of the Stanford Security Lab’s new web measurement platform that investigate how advertising networks respond to opt-out and Do Not Track requests. This group followed on with an additional study that reviewed a technique known as a “history stealing”.

‘History stealing’ is the practice of exploiting the fact that link styles are changed when they have previously been visited by a user on older versions of most web browsers. A history stealing script is used to test whether a user has visited a link by adding it to a web page and checking the style. This information is then compiled into a list of sites or interests about a particular user and can also be used to potentially track or possibly expose a user’s identity.

While the accuracy of these studies and the appropriateness of this technique may be debatable (we have heard good arguments on both sides), in our minds what this sort of study demonstrates is that while notice and choice regimes such as those presented via the Advertising Option Icon are an important part of building a privacy safe ad ecosystem, it is equally important for all stakeholders who run, partner with, and advertise on these ever-innovating ad platforms to have an under-the-hood understanding of the process and deeper assurances that technical methodologies designed to get more campaign efficiencies do not lead to privacy violations. For businesses, brands, consumer and regulators ““ knowing what’s really happening can make all the difference.

TRUSTe’s response is two-fold:

First, academic and technical research can shine a light on activities that may not be known or well understood. This informs our understanding and puts pressure on self-regulatory organizations and service providers to adapt and evolve with new technologies, even those that attempt to circumvent current standards.

Second, in order to address these issues with data collectors and trackers, TRUSTe has built an extension to our OBA compliance offering, TRUSTed Ads, which is designed to support the DAA’s self-regulatory principles. We have done this by creating an additional TRUSTed Data Collection Certification, where we help clients refine and optimize their platform’s privacy protections to the deepest levels of their technology and code. TRUSTed Data Collection Certification helps businesses collect and use data responsibly and provides them with a white listing in TRUSTe’s IE 9’s Tracking Protection List (TPL). TRUSTe clients such as Blue Kai, Quantcast, InsightExpress, Specific Media, Casale, and others have taken advantage of this deep TRUSTe platform certification to demonstrate to advertisers, media buyers, partners, consumers, and regulators that they meet the highest standards of privacy (including the DAA program) and that their technical methodologies are consistent with their disclosure and best practices. We are working to extend this product offering even further as the browser market continue to embrace Do Not Track and other data collection privacy principles and best practices.